Cybersecurity thread - Sperg about cybersecurity and whatnot.

  • 🔧 Site instability resolved. You can report double-posts and broken attachments. For bigger issues, use the Technical Grievances thread.
    🇵🇦 Nuestro primer dominio localizado está en español en kiwifarms.pa. Our first localized domain is on Spanish on kiwifarms.pa.
  • Want to keep track of this thread?
    Accounts can bookmark posts, watch threads for updates, and jump back to where you stopped reading.
    Create account

Do you use the same password on all websites?

  • Total de votantes
    107
Destacado
I don't know, you can store your passwords like, in a notebook. Try hacking that, chinaman.

I find it amazing how many people are paranoid about things that don't really matter and then turn around and are entirely fine with giving the likes of discord, twitch, facebook etc. etc. all their personal data. Then the awe and confusion is big when they get phishing spam 24/7. Yet It keeps happening.
 
Magicicada_septendecula dijo:
I should probably look into using a password manager. I don't use the same one on all sites, but I'm guilty of cycling through a small number of passwords, with some variation on them.
Presiona para expandir...
If you do, don't use the browser's default (I explained why in exorbitant detail), don't use Dashlane or any browser addon either, still haven't used Keepass, so can't comment on that either, but I'd avoid it personally.

It's better to store the passwords on a text file or just on a sheet of paper like dude above me said.
 
Have you guys heard about this?
Windows MSDT zero-day now exploited by Chinese APT hackers
Microsoft knew about this since April. So glad I don't use Windows anymore.

It gets better:
Under normal circumstances, files from potentially unsafe locations are opened as read only or in Protected View. However, this warning can be easily bypassed by changing the document to a Rich Text Format (RTF) file. By doing so, the code can run without even opening the document via the preview tab in Explorer.
Presiona para expandir...
From Malwarebytes' blog
 
HackTheBox just released a new web exploitation certificate for $1300. It is getting so hard to stay on the morally correct side of the keyboard when in order to switch my focus in my cyber career I have to have a one thousand dollar cert backing it up or I will get nothing worth my time and experience. I was told at one point that some interviews take CTF scorecards into account when hiring-does anyone here have any experience with that?
 
HahaYes dijo:
SANS would like a word. Theirs are $8500USD and up
Presiona para expandir...
It’s actually insane, and not even mentioning the upkeep to these. I understand the thought behind it is to either have your company sponsor you or to have it replace a degree but these prices for a test alone just makes my head hurt. Maybe Im too lazy and cheap but I like learning new skills and want something professional to show for it without groveling to my boss
 
heisenbuug dijo:
I was told at one point that some interviews take CTF scorecards into account when hiring-does anyone here have any experience with that?
Presiona para expandir...
For my first pentesting job, I was told my HTB rank was one of the deciding factors in hiring me over other candidates. When I eventually ended up running interviews it was one of the things we looked for in good candidates, we would score high ranks on CTF platforms like HTB roughly equivalent to some of the low to mid level certs like OSCP and OSWE. That was around four years ago now since I left that job but I imagine they still do something like that, maybe the rankings are different now that boxes are more standardised? Can't say I know anything about their new HTB cert.

heisenbuug dijo:
It is getting so hard to stay on the morally correct side of the keyboard
Presiona para expandir...
I have probably said something like this to myself a hundred times in my heckin soyber security career when I look at bugs that are used to steal unbelievable amounts of money and data. I figured I'm too shit at covering my tracks to actually get away with crimes, and that it is safter to stick to my desk job of finding similar bugs in corporate shitware instead.

If you wanna have a low-stakes shot at trying your skills at some real prod targets, bug bounty is how you do it. Don't expect wins like in a CTF though, biggest difference between a CTF and the real world is in the CTF you know there's an issue there to be found and exploited, IRL there's no guaranteed bug or issue there to be able to check yourself with the "it's just a skill issue, try harder" method that gets us all through our CTF years.

Once you're in a consulting job, you can't spend six weeks hunting an obscure bug in a third party dependency and R&D-ing it into a workable exploit for your target app, because time is money and ACME LLC isn't gonna pay for that time (ironically your employer will pay for a similar amount of time spent doing that to get some expensive cert that says you passed the CTF for that qualifies you in jiggling the splines of certain types of software in a special way only to never do that in your day job), you just have to cast your net wide to catch any low hanging fruit and go as deep as your time limit allows praying for gets, which is really unsatisfying after the first few years of "wow I'm finally here and doing it" wears off and you're testing the same app for the Nth year in a row with some manager breathing down your neck for a report that is due in a few hours that contains 85% identical content to the one you wrote a year ago because they fix things at the rate of 1 thing per year.

I'm jaded if you can't tell.
 
Concentrate Juice dijo:
I'm jaded if you can't tell.
Presiona para expandir...
We all end up a bit jaded eventually when we choose to work with this shit tbh. Either because people don't fucking patch shit that you tested a year ago in your case with offensive, or because people don't fucking patch shit we found in scans and threat hunts months ago in my case with defensive. Oh and you have to juggle reports that say damn near the same fucking shit every month like clockwork and just slightly change the wording even though the clients just glaze over when you tell them yes, these critical vulns do in fact need to be patched or they will eat shit and make the poor SOCs life hell when they do get breached
 
Today I sperged to my VPN provider. All day was unable to access Farms with VPN on. Have been having trouble a while now. Have had to restart VPN connection to get through. Today even that did not help.

So I sperged a little to their feedback address. Well kiwifarms.st started working with VPN one hour later.
Now I am in delusion F-Secure indeed did have site blacklisted and unblocked the site because one sperg.

EDIT: Well fucking apparently they just let me in after 18:00 or fucking something. Fags.
 
Última edición:
Does anyone know any good Privacy Focused Emails with IMAP / POP support without being in a paywall? Or do I have to unfortunately build my own email server.
 
megafag dijo:
american tech companies are pitiful, the chinese eat them for breakfast its so bad.

american cybersec in general is shit, we just got a shit ton of our SSNs leaked
Presiona para expandir...
Well, that's because the cyber teams of most American tech firms are full of pajeets who don't care about their work at all. Or don't understand it. They pay tens of thousands of dollars to greedy private "colleges" to get "Master's degrees" in "Cybersecurity" (more like certificates in basic computing concepts that 9/10 isn't applicable in industry). Its genuinely laughable what these programs teach. A $300 AWS certification would be more useful.
 
So you're saying MFA and phone triangulation procedures have encouraged the establishment of botnets that pawn devices and sell them on the dark web? Wow who could have thunk. It's almost like these things endanger people in our society more than it protects them. Or maybe corporations always planned to do this to pin point whistleblowers and trolls online that harm their products marketing.
 
I always knew that IoT devices were a huge flaw, but what I didn't realize is all these boomer widgets that people buy and connect to their wifi are sometimes participating in a MASSIVE DDOS cluster- and also selling your home network out as a form of residential proxy, another weird thing.
I'm curious what will happen here, as the cat's out of the bag now, and people aren't going to stop buying free cheap TV boxes, or wifi coffee machines.
 
ok, this is pretty relevent giving a slew of bills about to get royal ascent and basically fuck my security by mandating companies build backdoors into their software for "lawful use", but is there a way to "patch" the impending backdoors so to speak on local networks or make them much harder to access? not because i think i'll get raided by the RCMP, but because hackers are likely watching this and licking their chops for all the data they are about to get access to, and i don't feel like having my security gaped like a prolapsed asshole. wouldn't suprise me the UK doesn't mandate the same soon or even U.S states, so it may be time to have this discussion now rather than later when it gets to he U.S's doorstep like the age verification thing did.
 
din365 dijo:
ok, this is pretty relevent giving a slew of bills about to get royal ascent and basically fuck my security by mandating companies build backdoors into their software for "lawful use", but is there a way to "patch" the impending backdoors so to speak on local networks or make them much harder to access? not because i think i'll get raided by the RCMP, but because hackers are likely watching this and licking their chops for all the data they are about to get access to, and i don't feel like having my security gaped like a prolapsed asshole. wouldn't suprise me the UK doesn't mandate the same soon or even U.S states, so it may be time to have this discussion now rather than later when it gets to he U.S's doorstep like the age verification thing did.
Presiona para expandir...
Start small and do what you can, when you can. Fortunately, the "good stuff" is usually free to explore and get into and hardware is relatively cheap, though nowadays that might not mean "cheap." You can set up your own routers with pretty much any computer, what changes is the OS/firmware, of which there are good, free options out there.

I'd suggest you start with a router you control, this may have to sit between you and your ISP's home router, that's fine, and then set up VLANs (virtual local area networks) so you understand isolating the devices you can't control so easily, like all the IoT garbage people have. You'd be able to have a smart TV on a network (VLAN) that simply cannot touch the internet while still having regular wifi that you use regularly and a guest network for people you don't want connecting to the same network as your personal computers or whatever. Any computer can be set up as this router, you just need to install the right operating system on it.

Another area of concern is your online accounts. This is out of your direct control so more about taking preventative measures as you go after an initial self audit.
  • Strong, unique passwords. Longer better.
    • Password manager almost a must
  • Use MFA everywhere it's offered
    • Back up your TOTP codes (the 6 digit codes on some mobile app)
    • Use a free and open source TOTP app if you can, you can export from Google Authenticator and stuff so that's not in the cloud
  • Don't share any personal emails unless absolutely required
  • Avoid "cloud services" as much as possible but if you can't, lock it down as much as possible
  • Lie when setting up accounts unless your identity is necessary or may be necessary in the future
    • Use common sense
    • Password managers can help manage your lies
  • Make backups of all important data
It's a lot to take in but every little thing goes a long way and over time it becomes more intuitive.
 
Última edición:
Destacado
Debes iniciar sesión o registrarte para responder aquí.
Atrás
Top Abajo